Cookies are flat and crisp baked treats, often sweet and usually delicious. Internet or website cookies are not. Web cookies are small pieces of text data sent between a user’s browser and the websites they visit. If your company’s website uses cookies (we bet it does) it’s a good idea to review the types of information being collected.

Web cookies are useful for lots of reasons mostly related to keeping websites informed of users’ preferences. For example, thanks to cookies, users don’t have to pick their city of choice every time they visit a weather update site. Thanks cookies. Cookies also tell ad serving companies (like Google AdWords) sites you’ve visited and serve you tailored ads, and are responsible for the Mr Porter ad for those rather spiffy loafers following us all over the internet.

For the most part, cookies don’t contain personal information meaning website operators needn’t worry about falling foul of the various obligations around the collection, use and disclosure of that information under the Privacy Act.

However, some web cookies (and the geeks have confirmed this) do. Broadly speaking, where information can reasonably be used to identify an individual, that information will constitute personal information for the purpose of the Privacy Act. Therefore, if the use of cookies means the website is collecting, for example, an individual’s name or address, Privacy Act obligations kick in.

Those obligations are mostly contained within Australian Privacy Principles 3, 5 and 6 regarding the collection, notification of collection and use and disclosure of personal information. If cookies are collecting personal information, then:

  • Individuals must be notified of that collection; and

  • That information must be handled in accordance with the Australian Privacy Principles.

The Privacy Commissioner has power to impose penalties of up to $1.7 million for breaches of the Privacy Act, so now is a good time to check what kind of cookies you’ve been baking.